The campaign relies on ClickFix, a method that tricks users into executing malicious terminal commands by presenting fake error messages or repair instructions. Once a victim follows these prompts, the malware installs itself, granting attackers deep access to the system. Kaspersky notes that OkoBot avoids targeting users in Russia and other Commonwealth of Independent States countries, focusing its reach instead on Brazil, Vietnam, Canada, Mexico, and Turkey.
At the core of the operation are roughly 20 specialized modules. The SeedHunter component is particularly damaging, presenting users with convincing fake recovery screens for Ledger and Trezor hardware wallets to capture seed phrases directly. Other components, such as MC Keylogger and OkoSpyware, monitor keyboard input, clipboard activity, and screen contents to siphon passwords and account credentials. Because blockchain transactions cannot be reversed, victims have virtually no path to recovery once their funds are moved.
This trend of weaponizing developer environments mirrors recent activity by groups like the Lazarus Group, which utilized similar terminal-based tactics in their Mach-O Man campaign. By embedding malicious commands within what appear to be routine troubleshooting steps, attackers are increasingly bypassing traditional security software, necessitating heightened vigilance among developers and crypto users alike.

Comments (0)
No comments yet. Be the first!